CVE-2025-6325: 
WordPress vulnerability analysis and mitigation

The King Addons for Elementor WordPress plugin versions up to 51.1.36 contains a critical privilege escalation vulnerability (CVE-2025-6325). The vulnerability was discovered on July 19, 2025, and affects over 10,000 active installations. This security flaw allows unauthenticated attackers to register new accounts with arbitrary roles, including administrator privileges, potentially leading to full site compromise (Patchstack, Rapid7).

The vulnerability exists in the includes/widgets/LoginRegisterForm/LoginRegisterFormAjax.php file, where the plugin's registration handler allowed client-supplied roles without proper validation. An unauthenticated attacker could exploit this by posting to the registration endpoint with action=kingaddonsuserregister and user_role=administrator parameters. The vulnerability requires that site registration is enabled and the King Addons Login | Register Form widget is enabled on a page. The CVSS score for this vulnerability is 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (Patchstack).

If exploited, this vulnerability allows attackers to create administrator accounts on affected WordPress sites, leading to complete site compromise. The attacker would gain full administrative access, enabling them to modify site content, install malicious plugins, access sensitive information, and potentially compromise the entire website infrastructure (Patchstack).

The vulnerability was patched in version 51.1.36 with the implementation of a role allowlist and input sanitization. The fix restricts the available roles to safe options like 'subscriber' and 'customer'. Site administrators are strongly advised to update to version 51.1.37 or later immediately. The patch includes sanitization of the user_role input and implements proper role restrictions (Patchstack).